matanbuchus | 5ffd6e81c8621c99f3b4da51567c5f2493d0ba6a75ab1c2071938aabc3349072

Analysis

max time kernel
221s
max time network
225s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
20-07-2022 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
Size

224KB
MD5

6892679f8a4b438c582c9954e15acd19
SHA1

546bae92165363acd3e0aaef964cc02ec2a2e67d
SHA256

7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9
SHA512

064ece5fe73a356d9078e13134288e144288bd9e9d8d06cdd72f3aaf4cc9d397b5443be67e2d07f78a282d875187a9679e19506ae580d84c9a44142da366f108

Score

10^/10

matanbuchus loader

Malware Config

Signatures

Matanbuchus
A loader sold as MaaS first seen in February 2021.
loader matanbuchus

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1500	msiexec.exe
4	1500	msiexec.exe
5	1548	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
1484	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\6c7ccf.msi	msiexec.exe
File created	C:\Windows\Installer\6c7cd0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\6c7cd2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c7cd0.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c7ccf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81AB.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1548	msiexec.exe
1548	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeSecurityPrivilege	1548	msiexec.exe
Token: SeCreateTokenPrivilege	1500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1500	msiexec.exe
Token: SeLockMemoryPrivilege	1500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1500	msiexec.exe
Token: SeMachineAccountPrivilege	1500	msiexec.exe
Token: SeTcbPrivilege	1500	msiexec.exe
Token: SeSecurityPrivilege	1500	msiexec.exe
Token: SeTakeOwnershipPrivilege	1500	msiexec.exe
Token: SeLoadDriverPrivilege	1500	msiexec.exe
Token: SeSystemProfilePrivilege	1500	msiexec.exe
Token: SeSystemtimePrivilege	1500	msiexec.exe
Token: SeProfSingleProcessPrivilege	1500	msiexec.exe
Token: SeIncBasePriorityPrivilege	1500	msiexec.exe
Token: SeCreatePagefilePrivilege	1500	msiexec.exe
Token: SeCreatePermanentPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	1500	msiexec.exe
Token: SeRestorePrivilege	1500	msiexec.exe
Token: SeShutdownPrivilege	1500	msiexec.exe
Token: SeDebugPrivilege	1500	msiexec.exe
Token: SeAuditPrivilege	1500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1500	msiexec.exe
Token: SeChangeNotifyPrivilege	1500	msiexec.exe
Token: SeRemoteShutdownPrivilege	1500	msiexec.exe
Token: SeUndockPrivilege	1500	msiexec.exe
Token: SeSyncAgentPrivilege	1500	msiexec.exe
Token: SeEnableDelegationPrivilege	1500	msiexec.exe
Token: SeManageVolumePrivilege	1500	msiexec.exe
Token: SeImpersonatePrivilege	1500	msiexec.exe
Token: SeCreateGlobalPrivilege	1500	msiexec.exe
Token: SeBackupPrivilege	924	vssvc.exe
Token: SeRestorePrivilege	924	vssvc.exe
Token: SeAuditPrivilege	924	vssvc.exe
Token: SeBackupPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1968	DrvInst.exe
Token: SeLoadDriverPrivilege	1968	DrvInst.exe
Token: SeLoadDriverPrivilege	1968	DrvInst.exe
Token: SeLoadDriverPrivilege	1968	DrvInst.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe
Token: SeTakeOwnershipPrivilege	1548	msiexec.exe
Token: SeRestorePrivilege	1548	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1500	msiexec.exe
1500	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1644	1548	msiexec.exe	33
PID 1548 wrote to memory of 1644	1548	msiexec.exe	33
PID 1548 wrote to memory of 1644	1548	msiexec.exe	33
PID 1548 wrote to memory of 1132	1548	msiexec.exe	32
PID 1548 wrote to memory of 1132	1548	msiexec.exe	32
PID 1548 wrote to memory of 1132	1548	msiexec.exe	32
PID 1548 wrote to memory of 1132	1548	msiexec.exe	32
PID 1548 wrote to memory of 1132	1548	msiexec.exe	32
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34
PID 1132 wrote to memory of 1484	1132	regsvr32.exe	34

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7e37d028789ab2b47bcab159da6458da2e8198617b0e7760174e4a0eea07d9c9.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\regsvr32.exe
    -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
    3⤵
    - Loads dropped DLL
    PID:1484
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
  2⤵
  PID:1644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "0000000000000570"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
bd5fe4e638da1701ce6c0a04639f26f5

SHA1
a3fbe5eedfb710fce62d580e90e4c06fbedec5a2

SHA256
8f3a2c638ecb3cf09fd4ea4bacfbf8f9fbf4f45fba2e4cd9faad0a67f69a0ad0

SHA512
6c44f5f2fc2353b4b2aaf90b65e41d222c55c5c6ee326c594b0f7b86900aabbf9ad92a4a4cc2a13e63fc5acb4d775b65fde8bc579565e08e91fbbc82e930910f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
9894fb38a07a8ce643c6a58f11b1e053

SHA1
7d0b9a8f15eaa338bb7aced4faf49ed7d5299e4b

SHA256
007a6c5433c58fc0581596931ada0d2eded1e6dd53c4245bb4ad03e4b8337f43

SHA512
f00d6a97fe8dc4e7f20217806a03bbd6b72b5798ea15cf677bfac26d3386999203e9b5743c54fe4538b8b4a58ed66b63fee7a353568b50108ed13e143b351bc0

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8f4c28685a3373241bec9af4bf6a6a3e

SHA1
b17610603b063aff1f48bfcaba4f4d4a25579eef

SHA256
7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

SHA512
f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs

Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\Users\Admin\AppData\Local\AdobeFontPack\main.dll

Filesize
401KB

MD5
8f4c28685a3373241bec9af4bf6a6a3e

SHA1
b17610603b063aff1f48bfcaba4f4d4a25579eef

SHA256
7efb8b4ac75560f1f21db9c1a77b2199921f53d74c3d4d6318852cfcdebc066a

SHA512
f9a3cc700320f069d7bdfd7ed49c576757974a328d254a2a28976d226354ee8bb2020d186766a1c4503e3f1a1a6e10fc8ff59995fe97cbc3abbd1ed868a1d4a6

Download Submit
memory/1484-65-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1500-54-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download